Washington, DC - Even before the European Union’s General Data Protection Regulation (GDPR) became enforceable on May 25th, the words “personal data breach” were enough to send shivers down to the spines of CIOs and CISOs the world over. While the public seems to be growing numb to the torrent of data breach news and notifications that have been coming their way (5,027 breaches compromising over 7.8 billion records in 2017), security professionals – especially corporate ones – are more sensitive than ever to the dangers of a personal data breach.
And now with the GDPR enforceable, in addition to the potential loss of business and damage to reputation that could occur, there is also potential for steep fines, potentially up to €20,000,000 or 4% of total international revenue.
That in turn has led to a major spike in self-reporting in the first month of GDPR enforcement, with 1,792 breaches self-reported to the UK Information Comissioner’s Office (the UK’s Data Protection Authority) in June of 2018. That’s compared to just 367 breaches reported in April, the last full month before the GDPR went into effect.
However, in a recent webinar, the ICO’s head of Data Breach Reporting, Laura Middleton, cautioned that: “not every personal data breach needs to be reported. So controllers should assess the likelihood and severity of risk to individuals before making that decision to report.”
So that’s what we’re going to cover today: under the GDPR, what constitutes a personal data breach and when should you report one?
Let’s hash it out.
Under the GDPR, what is a Data Breach?
In many ways, the term “Data Breach” is probably not a broad enough descriptor. Just like with many American laws, the legal definition and the popular definition differ. For the sake of the GDPR, Personal Data Breach covers a range of data incidents, everything from accidental disclosure to deletion to an actual breach of security where information is stolen. Here’s the official GDPR definition in Article 4(12):
‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
Let’s break that down a little bit. A breach of security in this sense doesn’t have to be an attacker fighting through your defenses. A breach of security can occur as a result of something as simple as an employee’s mistake or a database error. The more important portion of this definition is the back half, which is fairly broad. And that’s likely led to some over-reporting, where incidents that didn’t rise to the level of needing to be reported were still documented with the ICO out of a sense of caution.
But for the sake of clarity, let’s define a GDPR personal data breach in our own laymen’s terms.
A personal data breach occurs anytime, whether by accident or an act of malice by an attacker, a customer’s data is inadvertently destroyed, lost, altered or disclosed to the wrong party.
Now, let’s talk about what your responsibilities are for reporting a data breach under the GDPR.
You have 72 hours to report a personal data breach after it’s discovered
This is the biggest thing that you need to be aware of as you investigate any data incident and make a determination on reporting: you have 72 hours from the time you discover the issue. Now, with a true breach the average time it takes a company to detect it usually around 190 days. Some of the other data incidents that roll up under the GDPR’s “Personal Data Breach” definition may take considerably less time to diagnose. Regardless of how long it takes for the problem to present itself, once it’s been discovered you need to document that down to the minute and from there you have three days to decide what you need to do.
Here’s how the GDPR lays out your responsibility in Article 33(1):
1In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. 2Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
As you can see from the definition, your company or organization is faced with a decision regarding the severity of the incident. And much like with determining your “legitimate interests,” the GDPR is essentially asking you to perform an analysis that weighs the risk to the rights of the data subject.
To figure that out you’re going to need to answer some questions, and it would be a good idea to document these as part of your investigation.
- What Happened? What kind of incident was this, did you leave an AWS bucket with all of your users financial data protected or did you just send the wrong customer the wrong email?
- How many people were affected? Is this a large-scale breach or is it limited to just a handful of people. Most literature around GDPR puts the cut off for “large-scale” at 500 data subjects.
- What personal data was compromised? Is this just a customer’s name and email address? Or is it more sensitive data like financial information or special categories of personal data?
- What is the risk to the affected data subjects? Worst case scenario, what could be done with this information to harm the data subject either financially, materially or reputationally?
- What caused this situation? Was it an attacker exploiting your security? Was this a technical mistake? Human error?
- How easily can this issue be remediated? Will this take months to fix or is this just a simple tweak? When will you be able to accomplish this?
If you can answer those questions, you should be able to weigh what risks this personal data breach could pose to those affected and whether or not this incident rises to the level of reporting.
When is Reporting a Personal Data Breach not necessary?
That’s a decision that is entirely yours, one that should be made after considering all of the possible information regarding cause, size and scope. It would be irresponsible to make categorical suggestions here. But it should be pretty obvious once you investigate. Some of it also comes down to how cautious you want to be given the sizable penalties associated with messing this up.
It all comes down to the risk posed to the data subject(s). If the breach is small, limited to a single data subject, and doesn’t include passwords or financial data, you may be fine just documenting the situation and not reporting it. Or you might want to just play it safe and report it to your Data Protection Authority, anway.
Regardless, you need to be documenting everything. And if you decide not to report an incident, make sure you document why you chose not to, including an exaplanation of why you don’t feel this poses a significant risk to the data subject.
What information should be included in a breach notification?
Your breach notification is going to need to include all of the following information:
- A description of the personal data breach, including the categories and number of data subjects involved, as well as the types and quantity of records compromised.
- A name and contact information for either your registered Data Protection Officer or the individual heading up the investigation, someone who can be contacted for information.
- A description of the possible (and most likely) consequences of the compromise.
- A description of your investigation and any measures you have taken or will be taking to remediate the issue.
If you don’t have all of the information within the first 72 hours (when you are required to report), it can be provided in phases, as it becomes available, provided this is done in haste.
Remember, transparency is important. If your supervisory authority doesn’t think you’re acting in good faith you will be penalized. So don’t try to be sneaky or hide anything. Most Data Protection Authorities, at least at this point – early on in the GDPR enforcement period – have shown a willingness to work with companies and not be overly punitive. They’re not trying to be adversarial, they’re just trying to make sure that peoples’ rights are respected.
Who is my Data Protection Authority?
Your relevant Data Protection Authority varies by country and region. This is probably something you should have already figured out, but in the event you need a refresher, here’s a list of Data Protection Authority by country:
For the United States, your Data Protection Authority is either the Department of Transportation of the Federal Trade Commission. You can check out the rest of the DPAs below:
United States
Federal Trade Commission
600 Pennsylvania Avenue, NW
Washington, DC 20580
Telephone: (202) 326-2222
https://www.ftv.gov
Department of Transportation
1200 New Jersey Ave, SE
Washington, DC 20590
Telephone: (202) 366-4000
https://www.transportation.gov
EUROPEAN UNION
Austria
Österreichische Datenschutzbehörde
Hohenstaufengasse 3
1010 Wien
Tel. +43 1 531 15 202525
Fax +43 1 531 15 202690
This email address is being protected from spambots. You need JavaScript enabled to view it.
http://www.dsb.gv.at/
Belgium
Commission de la protection de la vie privée
Commissie voor de bescherming van de persoonlijke levenssfeer
Rue de la Presse 35 / Drukpersstraat 35
1000 Bruxelles / 1000 Brussel
Tel. +32 2 274 48 00
Fax +32 2 274 48 35
This email address is being protected from spambots. You need JavaScript enabled to view it.
http://www.privacycommission.be/
Bulgaria
Commission for Personal Data Protection
2, Prof. Tsvetan Lazarov blvd.
Sofia 1592
Tel. +359 2 915 3580
Fax +359 2 915 3525
This email address is being protected from spambots. You need JavaScript enabled to view it.
http://www.cpdp.bg/
Croatia
Croatian Personal Data Protection Agency
Martićeva 14
10000 Zagreb
Tel. +385 1 4609 000
Fax +385 1 4609 099
This email address is being protected from spambots. You need JavaScript enabled to view it. or This email address is being protected from spambots. You need JavaScript enabled to view it.
http://www.azop.hr/
Cyprus
Commissioner for Personal Data Protection
1 Iasonos Street,
1082 Nicosia
P.O. Box 23378, CY-1682 Nicosia
Tel. +357 22 818 456
Fax +357 22 304 565
This email address is being protected from spambots. You need JavaScript enabled to view it.
http://www.dataprotection.gov.cy/
Czech Republic
The Office for Personal Data Protection
Urad pro ochranu osobnich udaju
Pplk. Sochora 27
170 00 Prague 7
Tel. +420 234 665 111
Fax +420 234 665 444
This email address is being protected from spambots. You need JavaScript enabled to view it.
http://www.uoou.cz/
Denmark
Datatilsynet
Borgergade 28, 5
1300 Copenhagen K
Tel. +45 33 1932 00
Fax +45 33 19 32 18
This email address is being protected from spambots. You need JavaScript enabled to view it.
http://www.datatilsynet.dk/
Estonia
Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Väike-Ameerika 19
10129 Tallinn
Tel. +372 6274 135
Fax +372 6274 137
This email address is being protected from spambots. You need JavaScript enabled to view it.
http://www.aki.ee/en
Finland
Office of the Data Protection Ombudsman
P.O. Box 315
FIN-00181 Helsinki
Tel. +358 10 3666 700
Fax +358 10 3666 735
This email address is being protected from spambots. You need JavaScript enabled to view it.
http://www.tietosuoja.fi/en/
France
Commission Nationale de l’Informatique et des Libertés – CNIL
8 rue Vivienne, CS 30223
F-75002 Paris, Cedex 02
Tel. +33 1 53 73 22 22
Fax +33 1 53 73 22 00
http://www.cnil.fr/
Germany
Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
Husarenstraße 30
53117 Bonn
Tel. +49 228 997799 0; +49 228 81995 0
Fax +49 228 997799 550; +49 228 81995 550
This email address is being protected from spambots. You need JavaScript enabled to view it.
http://www.bfdi.bund.de/
Germany splits complaints between different agencies:
https://www.bfdi.bund.de/bfdi_wiki/index.php/Aufsichtsbeh%C3%B6rden_und_Landesdatenschutzbeauftragte
Greece
Hellenic Data Protection Authority
Kifisias Av. 1-3, PC 11523
Ampelokipi Athens
Tel. +30 210 6475 600
Fax +30 210 6475 628
This email address is being protected from spambots. You need JavaScript enabled to view it.
http://www.dpa.gr/
Hungary
National Authority for Data Protection and Freedom of Information
Szilágyi Erzsébet fasor 22/C
H-1125 Budapest
Tel. +36 1 3911 400
This email address is being protected from spambots. You need JavaScript enabled to view it.
http://www.naih.hu/
Ireland
Data Protection Commissioner
Canal House
Station Road
Portarlington
Co. Laois
Lo-Call: 1890 25 22 31
Tel. +353 57 868 4800
Fax +353 57 868 4757
This email address is being protected from spambots. You need JavaScript enabled to view it.
http://www.dataprotection.ie/
Italy
Garante per la protezione dei dati personali
Piazza di Monte Citorio, 121
00186 Roma
Tel. +39 06 69677 1
Fax +39 06 69677 785
This email address is being protected from spambots. You need JavaScript enabled to view it.
http://www.garanteprivacy.it/
Latvia
Data State Inspectorate
Director: Ms Daiga Avdejanova
Blaumana str. 11/13-15
1011 Riga
Tel. +371 6722 3131
Fax +371 6722 3556
This email address is being protected from spambots. You need JavaScript enabled to view it.
http://www.dvi.gov.lv/
Lithuania
State Data Protection
Žygimantų str. 11-6a
011042 Vilnius
Tel. + 370 5 279 14 45
Fax +370 5 261 94 94
This email address is being protected from spambots. You need JavaScript enabled to view it.
http://www.ada.lt/
Luxembourg
Commission Nationale pour la Protection des Données
1, avenue du Rock’n’Roll
L-4361 Esch-sur-Alzette
Tel. +352 2610 60 1
Fax +352 2610 60 29
This email address is being protected from spambots. You need JavaScript enabled to view it.
http://www.cnpd.lu/
Malta
Office of the Data Protection Commissioner
Data Protection Commissioner: Mr Joseph Ebejer
2, Airways House
High Street, Sliema SLM 1549
Tel. +356 2328 7100
Fax +356 2328 7198
This email address is being protected from spambots. You need JavaScript enabled to view it.
http://www.dataprotection.gov.mt/
Netherlands
Autoriteit Persoonsgegevens
Prins Clauslaan 60
P.O. Box 93374
2509 AJ Den Haag/The Hague
Tel. +31 70 888 8500
Fax +31 70 888 8501
This email address is being protected from spambots. You need JavaScript enabled to view it.
https://autoriteitpersoonsgegevens.nl/nl
Poland
The Bureau of the Inspector General for the Protection of Personal Data – GIODO
ul. Stawki 2
00-193 Warsaw
Tel. +48 22 53 10 440
Fax +48 22 53 10 441
This email address is being protected from spambots. You need JavaScript enabled to view it.; This email address is being protected from spambots. You need JavaScript enabled to view it.
http://www.giodo.gov.pl/
Portugal
Comissão Nacional de Protecção de Dados – CNPD
R. de São. Bento, 148-3°
1200-821 Lisboa
Tel. +351 21 392 84 00
Fax +351 21 397 68 32
This email address is being protected from spambots. You need JavaScript enabled to view it.
http://www.cnpd.pt/
Romania
The National Supervisory Authority for Personal Data Processing
President: Mrs Ancuţa Gianina Opre
B-dul Magheru 28-30
Sector 1, BUCUREŞTI
Tel. +40 21 252 5599
Fax +40 21 252 5757
This email address is being protected from spambots. You need JavaScript enabled to view it.
http://www.dataprotection.ro/
Slovakia
Office for Personal Data Protection of the Slovak Republic
Hraničná 12
820 07 Bratislava 27
Tel.: + 421 2 32 31 32 14
Fax: + 421 2 32 31 32 34
This email address is being protected from spambots. You need JavaScript enabled to view it.
http://www.dataprotection.gov.sk/
Slovenia
Information Commissioner
Ms Mojca Prelesnik
Zaloška 59
1000 Ljubljana
Tel. +386 1 230 9730
Fax +386 1 230 9778
This email address is being protected from spambots. You need JavaScript enabled to view it.
https://www.ip-rs.si/
Spain
Agencia de Protección de Datos
C/Jorge Juan, 6
28001 Madrid
Tel. +34 91399 6200
Fax +34 91455 5699
This email address is being protected from spambots. You need JavaScript enabled to view it.
https://www.agpd.es/
Sweden
Datainspektionen
Drottninggatan 29
5th Floor
Box 8114
104 20 Stockholm
Tel. +46 8 657 6100
Fax +46 8 652 8652
This email address is being protected from spambots. You need JavaScript enabled to view it.
http://www.datainspektionen.se/
United Kingdom
The Information Commissioner’s Office
Water Lane, Wycliffe House
Wilmslow – Cheshire SK9 5AF
Tel. +44 1625 545 745
This email address is being protected from spambots. You need JavaScript enabled to view it.
https://ico.org.uk
EUROPEAN FREE TRADE AREA (EFTA)
Iceland
Icelandic Data Protection Agency
Rauðarárstíg 10
105 Reykjavík
Tel. +354 510 9600; Fax +354 510 9606
This email address is being protected from spambots. You need JavaScript enabled to view it.
Liechtenstein
Data Protection Office
Kirchstrasse 8, P.O. Box 684
9490 Vaduz
Principality of Liechtenstein
Tel. +423 236 6090
This email address is being protected from spambots. You need JavaScript enabled to view it.
Norway
Datatilsynet
The Data Inspectorate
P.O. Box 8177 Dep
0034 Oslo
Tel. +47 22 39 69 00; Fax +47 22 42 23 50
This email address is being protected from spambots. You need JavaScript enabled to view it.
Switzerland
Data Protection and Information Commissioner of Switzerland
Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter
Mr Adrian Lobsiger
Feldeggweg 1
3003 Bern
Tel. +41 58 462 43 95; Fax +41 58 462 99 96
This email address is being protected from spambots. You need JavaScript enabled to view it.
